In our previous post we talked about vulnerability assessments and the reasons why it’s important to do so. One of the main issues with performing vulnerability assessments is figuring out the different command line parameters for Nmap. Let’s look at what NMAP Scripting Engine (NSE) is and how we can use it with the CyberScope, and we’ll expand on it in our next blog post by writing some custom scripts! I’ve been using Nmap for two decades now and still, to this date, forget which command line switches to use at times.
What is NMAP Scripting Engine
NSE is a compelling feature of Nmap that allows anyone to write and share scripts that fall into various classifications. At the most basic level, an NSE script can enable you to perform network discovery queries by obtaining additional whois information, SNMP query details, and NFS/SMB share information. These discovery scripts can generate “devices of concern” lists for further investigation with version detection scripts, and more. As we’ll see in the next blog post of this series on the CyberScope, we can extend these even further by looking into vendor APIs such as MIST or Meraki to get more details about Wireless clients.
The Value of NSE Scripts
But why is version detection important? Before answering, let’s first provide a bit more background. If we ran an NSE script or even a basic Nmap port scan and saw that port 80 was open, we know there is a web server on that device. Hopefully, port 443 for SSL is available. Though 443 is the preferred port, for this example we’ll discuss port 80, which from a security standpoint, only tells us a little during our scans. We can create a reporting rule that alerts us to port 80 being open but that doesn’t mean anything is wrong or can be compromised. So, why is version detection important? We need version detection to decide what action happens next, based on the initial scan results. We can create a step inside our NSE script that makes an HTTP query known to create a desired outcome on which we can perform a regular expression. This is the same as when you perform a search for text but done programmatically within the script, and ultimately set the nmap.set_port_version parameter. Now instead of it saying, for example, HTTP, we can set the version to reflect the actual type of web server software being used, such as Apache2 or nginx. Having this data enables the next step in NSE scripts: vulnerability detection. We’ll talk more about this and see how it is implemented in our next blog post.
Performing Vulnerability Checks with NSE
While Nmap isn’t a fully comprehensive vulnerability scanner, you can perform reasonably complex vulnerability checks with NSE. We can build vulnerability detection scripts through traditional port scanning and version detection and associate that data with common vulnerabilities and exposures, or CVEs. Coupling this with CyberScope’s ability to run NSE against devices found during Discovery and logging in Link-Live creates a fully automated reporting platform with minimal impact on the network and systems.
Ethical Usage of NSE Scripts
This wouldn’t be a complete post about a security tool without a paragraph on caution and appropriate usage. While one of the goals of the CyberScope is to “domesticate” Nmap by making it easier to use, we need to make sure the use of it falls within the definition of an ethical hacker. Some categories within the NSE scripts can actively attempt to brute force or exploit a vulnerability, which can cause devices to fail or cause excessive traffic on a network. As you review the scripts you wish to load onto your CyberScope for usage, it is essential to understand the differences between “safe” and “intrusive” scans and use them accordingly.
